Chinese Hackers APT41 uses MessageTap Malware to read people’s SMS

A group of hackers — known to be commissioned by the Chinese government to carry out sophisticated cybercrimes and cyber espionage campaigns — have been tapping into the servers of telecommunication providers and infrastructures (through malware) to read and save SMS sent through the network.

The malware called MessageTap has been attributed to the prolific state-sponsored hacking group named APT41. The group has been carrying out both financial attacks and espionage campaigns for the Chinese government since 2014.

The report revealed that the group has been deploying the MessageTap malware in the wild from 2012 to the present. The discovery makes it risky to send messages through SMS as the malware can download and read the entire content of a message that it flags.

An Installation Script?

The MessageTap malware is a “64-bit ELF data miner initially loaded by an installation script.” Once installed, the malware then looks for two types of files: keyword_parm.txt and parm.txt. When the malware detects the presence of both files, it reads and decodes the contents of the data.

The two files that the malware is looking for is extremely crucial since it contains sensitive information. The parm.txt file contains lists of International Mobile Subscriber Identity (IMSI) and phone numbers. The second file, keyword_parm.txt file, includes a list of keywords that are read into keywordVec.

“Both files are deleted from disk once the configuration files are read and loaded into memory. After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the server,” the report reads.

General Overview Diagram of MESSAGETAP | Photo: FireEye

In other words, the malware is looking for keywords in the keyword_parm.txt and then matches it with the IMSI number and the phone number to determine where those messages containing a keyword the hackers are interested in came from.

The MessageTap malware has been designed to become an espionage tool. This means that it is looking for keywords that align the geopolitical interest for Chinese intelligence collection.

The keywords include the names of political leaders, military and intelligence organizations, and political movements that have been considered by the Chinese government as their enemy. If these keywords exist in a text message, the malware will save the entire content of the SMS for future use.

Who’s APT41? Chinese Hackers?

FireEye linked the SMS and telecommunication infrastructure attack to the Chinese government-sponsored hacking group called APT41. Chinese hackers have been carrying out simultaneously financially motivated operations and state-sponsored espionage activity for the last five years.

Timeline of industries directly targeted by APT41 | Photo: FireEye

“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be an activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cybercrime and cyber espionage operations from 2014 onward,” the researchers note.

The discovery of the cyber espionage campaign of APT41 using MessageTap malware highlights the importance of using encrypted messaging services. End-to-end encryption is the process by which the message is encrypted using a key from the messenger’s end and can only be decrypted by another key from the receiver’s end. Many messaging applications nowadays are offering end-to-end encrypted messaging such as WhatsApp, Telegram, Viber, among others.